Browse code

Bug 24027: We moved from Gitian to rbm; adapt the website

Georg Koppen authored on05/02/2018 09:20:20
Showing1 changed files
... ...
@@ -297,7 +297,7 @@
297 297
     <p>Starting with Tor Browser 4.5a4 we sign our MAR files which helps
298 298
     securing our update process. The downside of this is the need for additional
299 299
     instructions to verify that the MAR files we ship are indeed the ones we
300
-    produced with our Gitian setup.</p>
300
+    produced with our rbm setup.</p>
301 301
 
302 302
     <p>Assuming the verification happens on a Linux computer one first needs the
303 303
     <tt>mar-tools-linux*.zip</tt> out of the <tt>gitian-builder/inputs</tt>
Browse code

Edits instruction on how to verify sig on win

hiromipaw authored on12/07/2017 21:14:56
Showing1 changed files
... ...
@@ -94,14 +94,13 @@
94 94
 
95 95
     <h3>Windows</h3>
96 96
     <hr>
97
-    <p>You need to have GnuPG installed before
98
-    you can verify signatures. Download it from <a
99
-    href="https://gpg4win.org/download.html">https://gpg4win.org/download.html</a>.</p>
97
+    <p>First of all you need to have GnuPG installed before you can verify signatures.
98
+    Download it from <a href="https://gpg4win.org/download.html">https://gpg4win.org/download.html</a>.</p>
100 99
     <p>Once it's installed, use GnuPG to import the key that signed your
101
-    package. Since GnuPG for Windows is a command-line tool, you will need
102
-    to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
103
-    you will need to tell Windows the full path to the GnuPG program. If
104
-    you installed GnuPG with the default values, the path should be
100
+    package. In order to verify the signature you will need to type a few commands
101
+    in windows command-line, <i>cmd.exe</i>.
102
+    <p>Unless you edit your PATH environment variable, you will need to tell Windows
103
+    the full path to the GnuPG program. If you installed GnuPG with the default values, the path should be
105 104
     something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
106 105
     <p>The Tor Browser team signs Tor Browser releases. Import its key
107 106
     (0x4E2C6E8793298290) by starting <i>cmd.exe</i> and typing:</p>
Browse code

Small improvements to verify signatures page

hiromipaw authored on10/07/2017 10:28:32
Showing1 changed files
... ...
@@ -18,17 +18,16 @@
18 18
     the one we have created and has not been modified by some attacker.</p>
19 19
 
20 20
     <p>Digital signature is a cryptographic mechanism. If you want to learn more
21
-    about how it works see <a href="https://www.gnupg.org/documentation/">
22
-    https://www.gnupg.org/documentation/</a>.</p>
21
+    about how it works see <a href="https://en.wikipedia.org/wiki/Digital_signature">
22
+    https://en.wikipedia.org/wiki/Digital_signature</a>.</p>
23 23
 
24 24
     <h3>What is a signature and why should I check it?</h3>
25 25
     <hr>
26 26
 
27 27
     <p>How do you know that the Tor program you have is really the one we made?
28 28
     Digital signatures ensure that the package you are downloading was created by
29
-    our developers. It uses a cryptographic mechanism which outputs a sequence of
30
-    characters that is always the same unless the software has not been tampered
31
-    with.</p>
29
+    our developers. It uses a cryptographic mechanism to ensure that the software package
30
+    that you have just downloaded is authentic. </p>
32 31
 
33 32
     <p>For many Tor users it is important to verify that the Tor software is authentic
34 33
     as they have very real adversaries who might try to give them a fake version
... ...
@@ -37,11 +36,18 @@
37 36
     <p>If the Tor package has been modified by some attacker it is not safe to use.
38 37
     It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>
39 38
 
39
+    <p>Before you go ahead and download something, there are a few extra steps you
40
+    should take to make sure you have downloaded an authentic version of Tor.</p>
41
+
42
+    <h4>Always download Tor from torproject.org</h4>
43
+
40 44
     <p>There are a variety of attacks that can be used to make you download a fake
41 45
     version of Tor. For example, an attacker could trick you into thinking some other
42
-    website is a great place to download Tor. That's why you should
46
+    website is a great place to download Tor. You should
43 47
     always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>
44 48
 
49
+    <h4>Always make sure you are browsing over https</h4>
50
+
45 51
     <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.
46 52
     Https is the secure version of the http protocol which uses encryption and authentication between your
47 53
     browser and the website. This makes it much harder for the attacker
... ...
@@ -55,6 +61,8 @@
55 61
     attackers who have the ability to trick your browser into thinking
56 62
     you're talking to the Tor website with https when you're not.</p>
57 63
 
64
+    <h4>Always verify signatures of packages you have downloaded</h4>
65
+
58 66
     <p>Some software sites list <a
59 67
     href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
60 68
     hashes</a> alongside the software on their website, so users can
... ...
@@ -116,6 +124,7 @@
116 124
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \
117 125
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \
118 126
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
127
+    <p>Please substitute "Alice" with your own username.</p>
119 128
     <p>The output should say "Good signature": </p>
120 129
     <pre>
121 130
     gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
Browse code

Started updating verify signatures page

hiromipaw authored on07/07/2017 13:08:25
Showing1 changed files
... ...
@@ -12,24 +12,44 @@
12 12
     <h1>How to verify signatures for packages</h1>
13 13
     <hr>
14 14
 
15
+    <p>Digital signature is a process ensuring that a certain package was
16
+    generated by its developers and has not been tampered with. Below we explain
17
+    why it is important and how to verify that the Tor program you download is
18
+    the one we have created and has not been modified by some attacker.</p>
19
+
20
+    <p>Digital signature is a cryptographic mechanism. If you want to learn more
21
+    about how it works see <a href="https://www.gnupg.org/documentation/">
22
+    https://www.gnupg.org/documentation/</a>.</p>
23
+
15 24
     <h3>What is a signature and why should I check it?</h3>
16 25
     <hr>
17 26
 
18
-    <p>How do you know that the Tor program you have is really the
19
-    one we made? Many Tor users have very real adversaries who might
20
-    try to give them a fake version of Tor &mdash; and it doesn't matter
21
-    how secure and anonymous Tor is if you're not running the real Tor.</p>
27
+    <p>How do you know that the Tor program you have is really the one we made?
28
+    Digital signatures ensure that the package you are downloading was created by
29
+    our developers. It uses a cryptographic mechanism which outputs a sequence of
30
+    characters that is always the same unless the software has not been tampered
31
+    with.</p>
32
+
33
+    <p>For many Tor users it is important to verify that the Tor software is authentic
34
+    as they have very real adversaries who might try to give them a fake version
35
+    of Tor.</p>
22 36
 
23
-    <p>An attacker could try a variety of attacks to get you to download
24
-    a fake Tor. For example, he could trick you into thinking some other
37
+    <p>If the Tor package has been modified by some attacker it is not safe to use.
38
+    It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>
39
+
40
+    <p>There are a variety of attacks that can be used to make you download a fake
41
+    version of Tor. For example, an attacker could trick you into thinking some other
25 42
     website is a great place to download Tor. That's why you should
26
-    always download Tor from <b>https</b>://www.torproject.org/. The
27
-    https part means there's encryption and authentication between your
28
-    browser and the website, making it much harder for the attacker
43
+    always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>
44
+
45
+    <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.
46
+    Https is the secure version of the http protocol which uses encryption and authentication between your
47
+    browser and the website. This makes it much harder for the attacker
29 48
     to modify your download. But it's not perfect. Some places in the
30
-    world block the Tor website, making users try <a href="<page
31
-    docs/faq>#GetTor">somewhere else</a>. Large
32
-    companies sometimes force employees to use a modified browser,
49
+    world block the Tor website, making users to download Tor <a href="<page
50
+    docs/faq>#GetTor">somewhere else</a>.</p>
51
+
52
+    <p>Large companies sometimes force employees to use a modified browser,
33 53
     so the company can listen in on all their browsing. We've even <a
34 54
     href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
35 55
     attackers who have the ability to trick your browser into thinking
... ...
@@ -93,8 +113,8 @@
93 113
     <p>To verify the signature of the package you downloaded, you will need
94 114
     to download the ".asc" file as well. Assuming you downloaded the
95 115
     package and its signature to your Desktop, run:</p>
96
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify
97
-    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc
116
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \
117
+    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \
98 118
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
99 119
     <p>The output should say "Good signature": </p>
100 120
     <pre>
Browse code

Add a line break for gpg verify instruction on linux

hiromipaw authored on10/04/2017 14:39:00
Showing1 changed files
... ...
@@ -154,7 +154,7 @@
154 154
     <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
155 155
 
156 156
     <strong>For Linux users</strong> (change 64 to 32 if you have the 32-bit package):<br />
157
-    <pre>gpg --verify tor-browser-linux64-<version-torbrowserbundlelinux64>_en-US.tar.xz.asc
157
+    <pre>gpg --verify tor-browser-linux64-<version-torbrowserbundlelinux64>_en-US.tar.xz.asc \
158 158
     tor-browser-linux64-<version-torbrowserbundlelinux64>_en-US.tar.xz</pre>
159 159
 
160 160
     <p>The output should say "Good signature":</p>
Browse code

Make 64bit instructions default for Linux on signature verification page

hiromipaw authored on10/04/2017 14:28:23
Showing1 changed files
... ...
@@ -153,9 +153,9 @@
153 153
     <strong>For Mac OS X users</strong>:<br />
154 154
     <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
155 155
 
156
-    <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
157
-    <pre>gpg --verify tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz.asc
158
-    tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz</pre>
156
+    <strong>For Linux users</strong> (change 64 to 32 if you have the 32-bit package):<br />
157
+    <pre>gpg --verify tor-browser-linux64-<version-torbrowserbundlelinux64>_en-US.tar.xz.asc
158
+    tor-browser-linux64-<version-torbrowserbundlelinux64>_en-US.tar.xz</pre>
159 159
 
160 160
     <p>The output should say "Good signature":</p>
161 161
 
... ...
@@ -214,8 +214,8 @@
214 214
       file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
215 215
       They can all be found in the same directory under
216 216
       <a href="https://www.torproject.org/dist/torbrowser/">
217
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux32>'
218
-      for Tor Browser <version-torbrowserbundlelinux32>.</li>
217
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux64>'
218
+      for Tor Browser <version-torbrowserbundlelinux64>.</li>
219 219
       <li>In case your operating system is adding the .txt extension
220 220
       automatically to the SHA256 sums signature file strip it again by running
221 221
       <pre>mv sha256sums-unsigned-build.txt.asc.txt sha256sums-unsigned-build.txt.asc</pre>
Browse code

Fix layout for verify signature page

hiromipaw authored on25/01/2017 18:03:51
Showing1 changed files
... ...
@@ -93,7 +93,9 @@
93 93
     <p>To verify the signature of the package you downloaded, you will need
94 94
     to download the ".asc" file as well. Assuming you downloaded the
95 95
     package and its signature to your Desktop, run:</p>
96
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
96
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify
97
+    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc
98
+    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
97 99
     <p>The output should say "Good signature": </p>
98 100
     <pre>
99 101
     gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
... ...
@@ -152,7 +154,8 @@
152 154
     <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
153 155
 
154 156
     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
155
-    <pre>gpg --verify tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz.asc tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz</pre>
157
+    <pre>gpg --verify tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz.asc
158
+    tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz</pre>
156 159
 
157 160
     <p>The output should say "Good signature":</p>
158 161
 
Browse code

Update gpg verification instructions for Linux users

hiromipaw authored on25/01/2017 17:56:40
Showing1 changed files
... ...
@@ -152,7 +152,7 @@
152 152
     <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
153 153
 
154 154
     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
155
-    <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
155
+    <pre>gpg --verify tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz.asc tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz</pre>
156 156
 
157 157
     <p>The output should say "Good signature":</p>
158 158
 
Browse code

Fix typos in paragraph about signatures date

hiromipaw authored on25/01/2017 16:55:28
Showing1 changed files
... ...
@@ -57,8 +57,8 @@
57 57
     torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc. For a list
58 58
     of which developer signs which package, see our <a href="<page docs/signing-keys>">signing keys</a> page.</p>
59 59
 
60
-    <p>We now show how you can verify the downloaded file digital signature on
61
-    different Operating systems. Please notice that a signature is dated the moment
60
+    <p>We now show how you can verify the downloaded file's digital signature on
61
+    different operating systems. Please notice that a signature is dated the moment
62 62
     the package has been signed. Therefore every time a new file is uploaded a new
63 63
     signature is generated with a different date. As long as you have verified the
64 64
     signature you should not worry that the reported date may vary.
Browse code

Add short paragraph on digital sig dates. Clean .gitignore

hiromipaw authored on19/01/2017 11:20:17
Showing1 changed files
... ...
@@ -56,6 +56,14 @@
56 56
     torbrowser-install-<version-torbrowserbundle>_en-US.exe is accompanied by
57 57
     torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc. For a list
58 58
     of which developer signs which package, see our <a href="<page docs/signing-keys>">signing keys</a> page.</p>
59
+
60
+    <p>We now show how you can verify the downloaded file digital signature on
61
+    different Operating systems. Please notice that a signature is dated the moment
62
+    the package has been signed. Therefore every time a new file is uploaded a new
63
+    signature is generated with a different date. As long as you have verified the
64
+    signature you should not worry that the reported date may vary.
65
+    </p>
66
+
59 67
     <h3>Windows</h3>
60 68
     <hr>
61 69
     <p>You need to have GnuPG installed before
... ...
@@ -105,6 +113,7 @@
105 113
     to the developer. The best method is to meet the developer in person and
106 114
     exchange key fingerprints.
107 115
     </p>
116
+
108 117
     <h3>Mac OS X and Linux</h3>
109 118
     <hr>
110 119
 
... ...
@@ -283,4 +292,3 @@
283 292
 </div>
284 293
 <!-- END CONTENT -->
285 294
 #include <foot.wmi>
286
-
Browse code

Bug 20954: Checking OS X bundles with sha256sum does not work

Due to Apple's codesigning requirement one can't simply compare hash
values to check whether a self-compiled bundle is matching the one we
ship. Yet our documentation seems to imply that. We should point this
problem out for now until we come up with a better solution.

Georg Koppen authored on12/12/2016 19:58:41 • Sebastian Hahn committed on13/12/2016 12:47:28
Showing1 changed files
... ...
@@ -230,7 +230,10 @@
230 230
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
231 231
       hashdeep utility</a> and run
232 232
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
233
-      On Mac or Linux you can run <pre>shasum -a 256 &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
233
+      <p>On Linux you can run</p>
234
+      <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre>
235
+      without having to download a utility. Note: this does not work for OS X
236
+      yet due to Apple's codesigning requirement.</li>
234 237
       <li>You will see a string of letters and numbers.</li>
235 238
       <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>
236 239
       <li>Locate the name of the Tor Browser file you downloaded.</li>
Browse code

Bug 20465: Call it 'Tor Browser', not 'The Tor Browser'

Arthur Edelstein authored on25/10/2016 22:33:02
Showing1 changed files
... ...
@@ -67,7 +67,7 @@
67 67
     you will need to tell Windows the full path to the GnuPG program. If
68 68
     you installed GnuPG with the default values, the path should be
69 69
     something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
70
-    <p>The Tor Browser team signs the Tor Browsers. Import its key
70
+    <p>The Tor Browser team signs Tor Browser releases. Import its key
71 71
     (0x4E2C6E8793298290) by starting <i>cmd.exe</i> and typing:</p>
72 72
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
73 73
     <p>After importing the key, you can verify that the fingerprint
... ...
@@ -116,7 +116,7 @@
116 116
     </p>
117 117
 
118 118
     <p>The next step is to use GnuPG to import the key that signed
119
-    your package. The Tor Browser team signs the Tor Browsers. Import its
119
+    your package. The Tor Browser team signs Tor Browser releases. Import its
120 120
     key (0x4E2C6E8793298290) by starting the terminal (under "Applications"
121 121
     in Mac OS X) and typing:</p>
122 122
 
... ...
@@ -189,7 +189,7 @@
189 189
        property</a> of Tor Browser 3.0 and later. Anyone can build
190 190
        Tor Browser on their own machine and produce a binary that is
191 191
        bit-for-bit identical to the binary we offer on the download page.
192
-       Fortunately, it is not necessary for everyone to build the Tor Browser
192
+       Fortunately, it is not necessary for everyone to build Tor Browser
193 193
        locally to get this security. Verifying and comparing the signed list
194 194
        of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a>
195 195
        will confirm that multiple people have built Tor Browsers
Browse code

Add new subkeys for Tor Browser's and gk's key

Georg Koppen authored on21/09/2016 14:44:51 • Sebastian Hahn committed on21/09/2016 17:45:20
Showing1 changed files
... ...
@@ -80,6 +80,7 @@
80 80
     uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
81 81
     sub   4096R/F65C2036 2014-12-15
82 82
     sub   4096R/D40814E0 2014-12-15
83
+    sub   4096R/C3C07136 2016-08-24
83 84
 </pre>
84 85
     <p>To verify the signature of the package you downloaded, you will need
85 86
     to download the ".asc" file as well. Assuming you downloaded the
... ...
@@ -95,7 +96,8 @@
95 96
     <p>Currently valid subkey fingerprints are:
96 97
     <pre>
97 98
     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
98
-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>
99
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
100
+    A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136</pre></p>
99 101
     <p>
100 102
     Notice that there is a warning because you haven't assigned a trust
101 103
     index to this person. This means that GnuPG verified that the key made
... ...
@@ -131,7 +133,8 @@
131 133
           Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
132 134
     uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
133 135
     sub   4096R/F65C2036 2014-12-15
134
-    sub   4096R/D40814E0 2014-12-15</pre>
136
+    sub   4096R/D40814E0 2014-12-15
137
+    sub   4096R/C3C07136 2016-08-24</pre>
135 138
     <p>To verify the signature of the package you downloaded, you will need
136 139
     to download the ".asc" file as well. Assuming you downloaded the
137 140
     package and its signature to your Downloads folder, run:</p>
... ...
@@ -152,7 +155,8 @@
152 155
     Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are:
153 156
     <pre>
154 157
     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
155
-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>
158
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
159
+    A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136</pre></p>
156 160
     <p>
157 161
     Notice that there is a warning because you haven't assigned a trust
158 162
     index to this person. This means that GnuPG verified that the key made
Browse code

weasel says specifying x-hkp:// or hkp:// is not needed

also apparently x-hkp:// doesn't work on some clients

Roger Dingledine authored on04/08/2016 22:55:10
Showing1 changed files
... ...
@@ -69,7 +69,7 @@
69 69
     something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
70 70
     <p>The Tor Browser team signs the Tor Browsers. Import its key
71 71
     (0x4E2C6E8793298290) by starting <i>cmd.exe</i> and typing:</p>
72
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
72
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
73 73
     <p>After importing the key, you can verify that the fingerprint
74 74
     is correct:</p>
75 75
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x4E2C6E8793298290</pre>
... ...
@@ -118,7 +118,7 @@
118 118
     key (0x4E2C6E8793298290) by starting the terminal (under "Applications"
119 119
     in Mac OS X) and typing:</p>
120 120
 
121
-    <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
121
+    <pre>gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
122 122
 
123 123
     <p>After importing the key, you can verify that the fingerprint
124 124
     is correct:</p>
Browse code

Update signature verification page

This update fixes bug 17851 by changing all http:// links to gpg related
websites to https:// ones. Furthermore, it incorporates feedback Josef
provided to us with respect to signature and SHA256 sums verification on
OS X. Thirdly, we need to set LD_LIBRARY_PATH to be able to strip MAR
signatures. And, finally, this patch cleans up the GPG output of the Tor
Browser developers signing key.

Georg Koppen authored on23/12/2015 15:28:39 • Sebastian Hahn committed on12/01/2016 12:59:58
Showing1 changed files
... ...
@@ -36,7 +36,7 @@
36 36
     you're talking to the Tor website with https when you're not.</p>
37 37
 
38 38
     <p>Some software sites list <a
39
-    href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
39
+    href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
40 40
     hashes</a> alongside the software on their website, so users can
41 41
     verify that they downloaded the file without any errors. These
42 42
     "checksums" help you answer the question "Did I download this file
... ...
@@ -60,7 +60,7 @@
60 60
     <hr>
61 61
     <p>You need to have GnuPG installed before
62 62
     you can verify signatures. Download it from <a
63
-    href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
63
+    href="https://gpg4win.org/download.html">https://gpg4win.org/download.html</a>.</p>
64 64
     <p>Once it's installed, use GnuPG to import the key that signed your
65 65
     package. Since GnuPG for Windows is a command-line tool, you will need
66 66
     to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
... ...
@@ -80,7 +80,6 @@
80 80
     uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
81 81
     sub   4096R/F65C2036 2014-12-15
82 82
     sub   4096R/D40814E0 2014-12-15
83
-    sub   4096R/589839A3 2014-12-15
84 83
 </pre>
85 84
     <p>To verify the signature of the package you downloaded, you will need
86 85
     to download the ".asc" file as well. Assuming you downloaded the
... ...
@@ -96,8 +95,7 @@
96 95
     <p>Currently valid subkey fingerprints are:
97 96
     <pre>
98 97
     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
99
-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
100
-    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>
98
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>
101 99
     <p>
102 100
     Notice that there is a warning because you haven't assigned a trust
103 101
     index to this person. This means that GnuPG verified that the key made
... ...
@@ -110,7 +108,7 @@
110 108
 
111 109
     <p>You need to have GnuPG installed before you can verify
112 110
     signatures. If you are using Mac OS X, you can install it from <a
113
-    href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>. If you
111
+    href="https://www.gpgtools.org/">https://www.gpgtools.org/</a>. If you
114 112
     are using Linux, then it's probably you already have GnuPG in your
115 113
     system, as most Linux distributions come with it preinstalled.
116 114
     </p>
... ...
@@ -133,17 +131,14 @@
133 131
           Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
134 132
     uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
135 133
     sub   4096R/F65C2036 2014-12-15
136
-    sub   4096R/D40814E0 2014-12-15
137
-    sub   4096R/589839A3 2014-12-15
138
-    </pre>
139
-
134
+    sub   4096R/D40814E0 2014-12-15</pre>
140 135
     <p>To verify the signature of the package you downloaded, you will need
141 136
     to download the ".asc" file as well. Assuming you downloaded the
142
-    package and its signature to your Desktop, run:</p>
137
+    package and its signature to your Downloads folder, run:</p>
143 138
 
144 139
     <strong>For Mac OS X users</strong>:<br />
145
-    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
146
-    
140
+    <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
141
+
147 142
     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
148 143
     <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
149 144
 
... ...
@@ -157,8 +152,7 @@
157 152
     Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are:
158 153
     <pre>
159 154
     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
160
-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
161
-    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>
155
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>
162 156
     <p>
163 157
     Notice that there is a warning because you haven't assigned a trust
164 158
     index to this person. This means that GnuPG verified that the key made
... ...
@@ -177,7 +171,7 @@
177 171
     </p>
178 172
 
179 173
     <p>See <a
180
-    href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
174
+    href="https://www.gnupg.org/documentation/">https://www.gnupg.org/documentation/</a>
181 175
     to learn more about GnuPG.</p>
182 176
 
183 177
     <hr>
... ...
@@ -204,14 +198,16 @@
204 198
       file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
205 199
       They can all be found in the same directory under
206 200
       <a href="https://www.torproject.org/dist/torbrowser/">
207
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1'
208
-      for Tor Browser 4.5.1.</li>
201
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux32>'
202
+      for Tor Browser <version-torbrowserbundlelinux32>.</li>
203
+      <li>In case your operating system is adding the .txt extension
204
+      automatically to the SHA256 sums signature file strip it again by running
205
+      <pre>mv sha256sums-unsigned-build.txt.asc.txt sha256sums-unsigned-build.txt.asc</pre>
209 206
       <li>Retrieve the signers' GPG keys. This can be done from the command
210 207
       line by entering something like
211 208
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
212 209
       (This will bring you the public part of the Tor Browser developers'
213
-       signing key. Other
214
-      developers' key IDs can be found on
210
+       signing key. Other developers' key IDs can be found on
215 211
       <a href="<page docs/signing-keys>">this
216 212
       page</a>.)</li>
217 213
       <li>Verify the sha256sums-unsigned-build.txt file by executing this
... ...
@@ -230,7 +226,7 @@
230 226
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
231 227
       hashdeep utility</a> and run
232 228
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
233
-      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
229
+      On Mac or Linux you can run <pre>shasum -a 256 &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
234 230
       <li>You will see a string of letters and numbers.</li>
235 231
       <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>
236 232
       <li>Locate the name of the Tor Browser file you downloaded.</li>
... ...
@@ -241,7 +237,7 @@
241 237
     </ul>
242 238
 
243 239
     <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a>
244
-    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
240
+    to <a href="https://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
245 241
     these steps have been written, but to use them you will need to modify
246 242
     them yourself with the latest Tor Browser filename.</p>
247 243
 
... ...
@@ -263,6 +259,7 @@
263 259
     <pre>
264 260
     cd /path/to/MAR/file
265 261
     unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
262
+    export LD_LIBRARY_PATH=/path/to/MAR/file/mar-tools
266 263
     mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
267 264
     <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
268 265
     with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or
Browse code

Update advanced verification instructions

Georg Koppen authored on13/05/2015 14:20:10
Showing1 changed files
... ...
@@ -200,11 +200,12 @@
200 200
       <p>The steps below walk through this process:</p>
201 201
 
202 202
     <ul>
203
-      <li>Download the Tor Browser package, the sha256sums.txt file, and the
204
-      sha256sums signature files. They can all be found in the same directory
205
-      under <a href="https://www.torproject.org/dist/torbrowser/">
206
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.6.1'
207
-      for TBB 3.6.1.</li>
203
+      <li>Download the Tor Browser package, the <tt>sha256sums-unsigned-build.txt</tt>
204
+      file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
205
+      They can all be found in the same directory under
206
+      <a href="https://www.torproject.org/dist/torbrowser/">
207
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1'
208
+      for Tor Browser 4.5.1.</li>
208 209
       <li>Retrieve the signers' GPG keys. This can be done from the command
209 210
       line by entering something like
210 211
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
... ...
@@ -213,8 +214,9 @@
213 214
       developers' key IDs can be found on
214 215
       <a href="<page docs/signing-keys>">this
215 216
       page</a>.)</li>
216
-      <li>Verify the sha256sums.txt file by executing this command:
217
-      <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
217
+      <li>Verify the sha256sums-unsigned-build.txt file by executing this
218
+      command:
219
+      <pre>gpg --verify sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.txt</pre></li>
218 220
       <li>You should see a message like "Good signature from &lt;DEVELOPER
219 221
       NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
220 222
       <li>If you want to verify a Windows Tor Browser package you need to first
... ...
@@ -230,7 +232,7 @@
230 232
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
231 233
       On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
232 234
       <li>You will see a string of letters and numbers.</li>
233
-      <li>Open sha256sums.txt in a text editor.</li>
235
+      <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>
234 236
       <li>Locate the name of the Tor Browser file you downloaded.</li>
235 237
       <li>Compare the string of letters and numbers to the left of your
236 238
       filename with the string of letters and numbers that appeared
... ...
@@ -263,9 +265,9 @@
263 265
     unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
264 266
     mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
265 267
     <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
266
-    with the one provided in the <tt>sha265sums.txt</tt> or
267
-    <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying
268
-    sha256sums (advancded)</a> above.</p>
268
+    with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or
269
+    <tt>sha256sums-unsigned-build.incremental.txt</tt> as outlined in
270
+    <a href="#BuildVerification">Verifying sha256sums (advancded)</a> above.</p>
269 271
 
270 272
   </div>
271 273
   <!-- END MAINCOL -->
Browse code

Add delcert.exe as signature removal tool

Georg Koppen authored on30/04/2015 10:09:52
Showing1 changed files
... ...
@@ -218,10 +218,10 @@
218 218
       <li>You should see a message like "Good signature from &lt;DEVELOPER
219 219
       NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
220 220
       <li>If you want to verify a Windows Tor Browser package you need to first
221
-      strip off the authenticode signature of it. One tool that can be used for
222
-      this purpose is <a
223
-      href="http:/osslsigncode.sourceforge.net">osslsigncode</a>. Assuming you
224
-      have built it on a Linux computer you can enter
221
+      strip off the authenticode signature of it. Tools that can be used for
222
+      this purpose are <a href="http://osslsigncode.sourceforge.net">osslsigncode</a> and
223
+      <a href="http://forum.xda-developers.com/showthread.php?t=416175">delcert.exe</a>.
224
+      Assuming you have built e.g. <tt>osslsigncode</tt> on a Linux computer you can enter
225 225
       <pre>/path/to/your/osslsigncode remove-signature &#92;
226 226
         /path/to/your/&lt;TOR BROWSER FILE NAME&gt;.exe &lt;TOR BROWSER FILE NAME&gt;.exe</pre></li>
227 227
       <li>Now you can take the sha256sum of the Tor Browser package. On
Browse code

Update dowload links

The download links to the OSX bundles (now 64bit), the Tor expert
bundle (0.2.6.7 is the new stable version) and the alpha bundles (now
4.5) are updated.

Georg Koppen authored on28/04/2015 12:53:42
Showing1 changed files
... ...
@@ -142,7 +142,7 @@
142 142
     package and its signature to your Desktop, run:</p>
143 143
 
144 144
     <strong>For Mac OS X users</strong>:<br />
145
-    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
145
+    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
146 146
     
147 147
     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
148 148
     <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
Browse code

Bug 15598: Update documentation for TB 4.5

Refer to the Tor Browser signing key throughout the whole verifying-
signatures document.

Add documentation for stripping off the authenticode signatures of the
Windows installers.

Georg Koppen authored on27/04/2015 13:19:11 • Mike Perry committed on28/04/2015 03:10:49
Showing1 changed files
... ...
@@ -207,8 +207,9 @@
207 207
       for TBB 3.6.1.</li>
208 208
       <li>Retrieve the signers' GPG keys. This can be done from the command
209 209
       line by entering something like
210
-      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
211
-      (This will bring you developer Mike Perry's public key. Other
210
+      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
211
+      (This will bring you the public part of the Tor Browser developers'
212
+       signing key. Other
212 213
       developers' key IDs can be found on
213 214
       <a href="<page docs/signing-keys>">this
214 215
       page</a>.)</li>
... ...
@@ -216,6 +217,13 @@
216 217
       <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
217 218
       <li>You should see a message like "Good signature from &lt;DEVELOPER
218 219
       NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
220
+      <li>If you want to verify a Windows Tor Browser package you need to first
221
+      strip off the authenticode signature of it. One tool that can be used for
222
+      this purpose is <a
223
+      href="http:/osslsigncode.sourceforge.net">osslsigncode</a>. Assuming you
224
+      have built it on a Linux computer you can enter
225
+      <pre>/path/to/your/osslsigncode remove-signature &#92;
226
+        /path/to/your/&lt;TOR BROWSER FILE NAME&gt;.exe &lt;TOR BROWSER FILE NAME&gt;.exe</pre></li>
219 227
       <li>Now you can take the sha256sum of the Tor Browser package. On
220 228
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
221 229
       hashdeep utility</a> and run
Browse code

Bug 15253: Add Tor Browser subkey fingerprints

Georg Koppen authored on27/03/2015 15:04:54 • Sebastian Hahn committed on31/03/2015 11:47:09
Showing1 changed files
... ...
@@ -92,8 +92,12 @@
92 92
     gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
93 93
     gpg: WARNING: This key is not certified with a trusted signature!
94 94
     gpg:          There is no indication that the signature belongs to the owner.
95
-    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
96
-    </pre>
95
+    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290</pre>
96
+    <p>Currently valid subkey fingerprints are:
97
+    <pre>
98
+    5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
99
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
100
+    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>
97 101
     <p>
98 102
     Notice that there is a warning because you haven't assigned a trust
99 103
     index to this person. This means that GnuPG verified that the key made
... ...
@@ -143,16 +147,18 @@
143 147
     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
144 148
     <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
145 149
 
146
-    <p>The output should say "Good signature": </p>
150
+    <p>The output should say "Good signature":</p>
147 151
 
148 152
     <pre>
149 153
     gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
150 154
     gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
151 155
     gpg: WARNING: This key is not certified with a trusted signature!
152 156
     gpg:          There is no indication that the signature belongs to the owner.
153
-    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
154
-    </pre>
155
-
157
+    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are:
158
+    <pre>
159
+    5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
160
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
161
+    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>
156 162
     <p>
157 163
     Notice that there is a warning because you haven't assigned a trust
158 164
     index to this person. This means that GnuPG verified that the key made
... ...
@@ -160,7 +166,7 @@
160 166
     to the developer. The best method is to meet the developer in person and
161 167
     exchange key fingerprints.
162 168
     </p>
163
-    
169
+
164 170
     <p>
165 171
     If you're a Linux user and you're using the <b>Debian</b> Tor (not Tor
166 172
     Browser) packages, you should read the instructions on <a
Browse code

Bug 13407: Finish updating signature verification

A part of the page was not updated:
https://lists.torproject.org/pipermail/tor-dev/2015-March/008375.html

Nicolas Vigier authored on05/03/2015 14:46:13
Showing1 changed files
... ...
@@ -112,8 +112,8 @@
112 112
     </p>
113 113
 
114 114
     <p>The next step is to use GnuPG to import the key that signed
115
-    your package. Erinn Clark signs the Tor Browsers. Import her
116
-    key (0x416F061063FEE659) by starting the terminal (under "Applications"
115
+    your package. The Tor Browser team signs the Tor Browsers. Import its
116
+    key (0x4E2C6E8793298290) by starting the terminal (under "Applications"
117 117
     in Mac OS X) and typing:</p>
118 118
 
119 119
     <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
Browse code

Bug 13407: Update signature verification

Georg Koppen authored on24/02/2015 13:50:53
Showing1 changed files
... ...
@@ -53,8 +53,8 @@
53 53
     package and the extension ".asc". These .asc files are GPG
54 54
     signatures. They allow you to verify the file you've downloaded
55 55
     is exactly the one that we intended you to get. For example,
56
-    tor-browser-2.3.25-13_en-US.exe is accompanied by
57
-    tor-browser-2.3.25-13_en-US.exe.asc. For a list
56
+    torbrowser-install-<version-torbrowserbundle>_en-US.exe is accompanied by
57
+    torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc. For a list
58 58
     of which developer signs which package, see our <a href="<page docs/signing-keys>">signing keys</a> page.</p>
59 59
     <h3>Windows</h3>
60 60
     <hr>
... ...
@@ -67,20 +67,20 @@
67 67
     you will need to tell Windows the full path to the GnuPG program. If
68 68
     you installed GnuPG with the default values, the path should be
69 69
     something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
70
-    <p>Erinn Clark signs the Tor Browsers. Import her key
71
-    (0x416F061063FEE659) by starting <i>cmd.exe</i> and typing:</p>
72
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
70
+    <p>The Tor Browser team signs the Tor Browsers. Import its key
71
+    (0x4E2C6E8793298290) by starting <i>cmd.exe</i> and typing:</p>
72
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
73 73
     <p>After importing the key, you can verify that the fingerprint
74 74
     is correct:</p>
75
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x416F061063FEE659</pre>
75
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x4E2C6E8793298290</pre>
76 76
     <p>You should see:</p>
77 77
     <pre>
78
-    pub   2048R/63FEE659 2003-10-16
79
-          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
80
-    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
81
-    uid                  Erinn Clark &lt;erinn@debian.org&gt;
82
-    uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
83
-    sub   2048R/EB399FD7 2003-10-16
78
+    pub   4096R/93298290 2014-12-15
79
+          Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
80
+    uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
81
+    sub   4096R/F65C2036 2014-12-15
82
+    sub   4096R/D40814E0 2014-12-15
83
+    sub   4096R/589839A3 2014-12-15
84 84
 </pre>
85 85
     <p>To verify the signature of the package you downloaded, you will need
86 86
     to download the ".asc" file as well. Assuming you downloaded the
... ...
@@ -88,13 +88,11 @@
88 88
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
89 89
     <p>The output should say "Good signature": </p>
90 90
     <pre>
91
-    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
92
-    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
93
-    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
94
-    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
91
+    gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
92
+    gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
95 93
     gpg: WARNING: This key is not certified with a trusted signature!
96 94
     gpg:          There is no indication that the signature belongs to the owner.
97
-    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
95
+    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
98 96
     </pre>
99 97
     <p>
100 98
     Notice that there is a warning because you haven't assigned a trust
... ...
@@ -118,21 +116,21 @@
118 116
     key (0x416F061063FEE659) by starting the terminal (under "Applications"
119 117
     in Mac OS X) and typing:</p>
120 118
 
121
-    <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
119
+    <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
122 120
 
123 121
     <p>After importing the key, you can verify that the fingerprint
124 122
     is correct:</p>
125 123
 
126
-    <pre>gpg --fingerprint 0x416F061063FEE659</pre>
124
+    <pre>gpg --fingerprint 0x4E2C6E8793298290</pre>
127 125
 
128 126
     <p>You should see:</p>
129 127
     <pre>
130
-    pub   2048R/63FEE659 2003-10-16
131
-          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
132
-    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
133
-    uid                  Erinn Clark &lt;erinn@debian.org&gt;
134
-    uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
135
-    sub   2048R/EB399FD7 2003-10-16
128
+    pub   4096R/93298290 2014-12-15
129
+          Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
130
+    uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
131
+    sub   4096R/F65C2036 2014-12-15
132
+    sub   4096R/D40814E0 2014-12-15
133
+    sub   4096R/589839A3 2014-12-15
136 134
     </pre>
137 135
 
138 136
     <p>To verify the signature of the package you downloaded, you will need
... ...
@@ -148,13 +146,11 @@
148 146
     <p>The output should say "Good signature": </p>
149 147
 
150 148
     <pre>
151
-    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
152
-    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
153
-    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
154
-    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
149
+    gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
150
+    gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
155 151
     gpg: WARNING: This key is not certified with a trusted signature!
156 152
     gpg:          There is no indication that the signature belongs to the owner.
157
-    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
153
+    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
158 154
     </pre>
159 155
 
160 156
     <p>
Browse code

Fix grammar as pointed out by arma

Sebastian Hahn authored on12/02/2015 07:59:31
Showing1 changed files
... ...
@@ -142,7 +142,7 @@
142 142
     <strong>For Mac OS X users</strong>:<br />
143 143
     <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
144 144
     
145
-    <strong>For Linux users</strong> (change 32 by 64 if you have the 64-bit package):<br />
145
+    <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
146 146
     <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
147 147
 
148 148
     <p>The output should say "Good signature": </p>
Browse code

Fixed version tags and windows package name

ilv authored on12/02/2015 04:04:48
Showing1 changed files
... ...
@@ -85,7 +85,7 @@
85 85
     <p>To verify the signature of the package you downloaded, you will need
86 86
     to download the ".asc" file as well. Assuming you downloaded the
87 87
     package and its signature to your Desktop, run:</p>
88
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe</pre>
88
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
89 89
     <p>The output should say "Good signature": </p>
90 90
     <pre>
91 91
     gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
... ...
@@ -137,14 +137,13 @@
137 137
 
138 138
     <p>To verify the signature of the package you downloaded, you will need
139 139
     to download the ".asc" file as well. Assuming you downloaded the
140
-    package and its signature to your Desktop, run (where <version> stands
141
-    for the version of Tor Browser you downloaded):</p>
140
+    package and its signature to your Desktop, run:</p>
142 141
 
143
-    <strong>For Mac OS X users</strong>:
144
-    <pre>gpg --verify ~/Desktop/TorBrowser-<version>-osx32_en-US.dmg{.asc*,}</pre>
142
+    <strong>For Mac OS X users</strong>:<br />
143
+    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
145 144
     
146
-    <strong>For Linux users</strong> (change 32 by 64 if you have the 64-bit package):
147
-    <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version>_en-US.tar.xz{.asc*,}</pre>
145
+    <strong>For Linux users</strong> (change 32 by 64 if you have the 64-bit package):<br />
146
+    <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
148 147
 
149 148
     <p>The output should say "Good signature": </p>
150 149
 
Browse code

Added missing hr and s/GPG/GnuPG/

ilv authored on11/02/2015 21:00:23
Showing1 changed files
... ...
@@ -177,7 +177,9 @@
177 177
 
178 178
     <p>See <a
179 179
     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
180
-    to learn more about GPG.</p>
180
+    to learn more about GnuPG.</p>
181
+
182
+    <hr>
181 183
 
182 184
     <a id="BuildVerification"></a>
183 185
     <h3><a class="anchor" href="#BuildVerification">
Browse code

Combined osx and linux instructions

ilv authored on11/02/2015 20:56:33
Showing1 changed files
... ...
@@ -103,18 +103,20 @@
103 103
     to the developer. The best method is to meet the developer in person and
104 104
     exchange key fingerprints.
105 105
     </p>
106
-    <h3>Mac OS X</h3>
106
+    <h3>Mac OS X and Linux</h3>
107 107
     <hr>
108 108
 
109 109
     <p>You need to have GnuPG installed before you can verify
110
-    signatures. You can install it from <a
111
-    href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>.
110
+    signatures. If you are using Mac OS X, you can install it from <a
111
+    href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>. If you
112
+    are using Linux, then it's probably you already have GnuPG in your
113
+    system, as most Linux distributions come with it preinstalled.
112 114
     </p>
113 115
 
114
-    <p>Once it's installed, use GnuPG to import the key that signed
116
+    <p>The next step is to use GnuPG to import the key that signed
115 117
     your package. Erinn Clark signs the Tor Browsers. Import her
116
-    key (0x416F061063FEE659) by starting the terminal (under "Applications")
117
-    and typing:</p>
118
+    key (0x416F061063FEE659) by starting the terminal (under "Applications"
119
+    in Mac OS X) and typing:</p>
118 120
 
119 121
     <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
120 122
 
... ...
@@ -135,9 +137,14 @@
135 137
 
136 138
     <p>To verify the signature of the package you downloaded, you will need
137 139
     to download the ".asc" file as well. Assuming you downloaded the
138
-    package and its signature to your Desktop, run:</p>
140
+    package and its signature to your Desktop, run (where <version> stands
141
+    for the version of Tor Browser you downloaded):</p>
139 142
 
140
-    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
143
+    <strong>For Mac OS X users</strong>:
144
+    <pre>gpg --verify ~/Desktop/TorBrowser-<version>-osx32_en-US.dmg{.asc*,}</pre>
145
+    
146
+    <strong>For Linux users</strong> (change 32 by 64 if you have the 64-bit package):
147
+    <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version>_en-US.tar.xz{.asc*,}</pre>
141 148
 
142 149
     <p>The output should say "Good signature": </p>
143 150
 
... ...
@@ -158,30 +165,20 @@
158 165
     to the developer. The best method is to meet the developer in person and
159 166
     exchange key fingerprints.
160 167
     </p>
161
-
162
-    <h3>Linux</h3>
163
-    <hr>
164
-
165
-    <p>Most Linux distributions come with gpg preinstalled, so users
166
-    who want to verify the Tor Browser for Linux (or the source
167
-    tarball) can just follow along with the instructions above for
168
-    "Mac OS X". </p>
169
-
170
-    <p>If you're using the <b>Debian</b> Tor (not Tor Browser) packages, you 
171
-    should read the
172
-    instructions on <a href="<page docs/debian>#packages">importing
173
-    these keys to apt</a>.</p>
174
-
175
-    <p>If you're using the <b>RPMs</b> (for Tor, not Tor Browser), you can 
176
-    manually verify the
177
-    signatures on the RPM packages by <pre>rpm -K filename.rpm</pre></p>
168
+    
169
+    <p>
170
+    If you're a Linux user and you're using the <b>Debian</b> Tor (not Tor
171
+    Browser) packages, you should read the instructions on <a
172
+    href="<page docs/debian>#packages">importing these keys to apt</a>.
173
+    If you're using the <b>RPMs</b> (for Tor, not Tor Browser), you can
174
+    manually verify the signatures on the RPM packages by
175
+    <pre>rpm -K filename.rpm</pre>
176
+    </p>
178 177
 
179 178
     <p>See <a
180 179
     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
181 180
     to learn more about GPG.</p>
182 181
 
183
-    <hr>
184
-
185 182
     <a id="BuildVerification"></a>
186 183
     <h3><a class="anchor" href="#BuildVerification">
187 184
     Verifying sha256sums (advanced)</a></h3>
Browse code

Fix osx gpg instructions (#12563)

Sebastian Hahn authored on09/02/2015 22:52:42
Showing1 changed files
... ...
@@ -137,7 +137,7 @@
137 137
     to download the ".asc" file as well. Assuming you downloaded the
138 138
     package and its signature to your Desktop, run:</p>
139 139
 
140
-    <pre>gpg --verify /Users/Alice/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
140
+    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
141 141
 
142 142
     <p>The output should say "Good signature": </p>
143 143
 
... ...
@@ -220,7 +220,7 @@
220 220
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
221 221
       hashdeep utility</a> and run
222 222
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
223
-      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.zip</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
223
+      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
224 224
       <li>You will see a string of letters and numbers.</li>
225 225
       <li>Open sha256sums.txt in a text editor.</li>
226 226
       <li>Locate the name of the Tor Browser file you downloaded.</li>
Browse code

Fixes osx arch tag in TorBrowser's name.

Sherief Alaa authored on06/02/2015 09:26:21
Showing1 changed files
... ...
@@ -137,7 +137,7 @@
137 137
     to download the ".asc" file as well. Assuming you downloaded the
138 138
     package and its signature to your Desktop, run:</p>
139 139
 
140
-    <pre>gpg --verify /Users/Alice/TorBrowser-<version-torbrowserbundleosx32>-osx-i386-en-US.dmg{.asc*,}</pre>
140
+    <pre>gpg --verify /Users/Alice/TorBrowser-<version-torbrowserbundleosx32>-osx32_en-US.dmg{.asc*,}</pre>
141 141
 
142 142
     <p>The output should say "Good signature": </p>
143 143
 
Browse code

Bug 14304: Document stripping of MAR files

We add a section explaining how to verify that the signed MAR files we
ship are essentially the ones our Gitian setup produced.

Georg Koppen authored on20/01/2015 14:00:36 • Sebastian Hahn committed on20/01/2015 13:15:28
Showing1 changed files
... ...
@@ -186,8 +186,8 @@
186 186
     <h3><a class="anchor" href="#BuildVerification">
187 187
     Verifying sha256sums (advanced)</a></h3>
188 188
     <hr>
189
-    <p>Build reproducibility is a <a 
190
-       href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security 
189
+    <p>Build reproducibility is a <a
190
+       href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security
191 191
        property</a> of Tor Browser 3.0 and later. Anyone can build
192 192
        Tor Browser on their own machine and produce a binary that is
193 193
        bit-for-bit identical to the binary we offer on the download page.
... ...
@@ -201,22 +201,22 @@
201 201
 
202 202
     <ul>
203 203
       <li>Download the Tor Browser package, the sha256sums.txt file, and the
204
-      sha256sums signature files. They can all be found in the same directory 
204
+      sha256sums signature files. They can all be found in the same directory
205 205
       under <a href="https://www.torproject.org/dist/torbrowser/">
206
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.6.1' 
206
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.6.1'
207 207
       for TBB 3.6.1.</li>
208
-      <li>Retrieve the signers' GPG keys. This can be done from the command 
209
-      line by entering something like 
208
+      <li>Retrieve the signers' GPG keys. This can be done from the command
209
+      line by entering something like
210 210
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
211
-      (This will bring you developer Mike Perry's public key. Other 
211
+      (This will bring you developer Mike Perry's public key. Other
212 212
       developers' key IDs can be found on
213
-      <a href="<page docs/signing-keys>">this 
213
+      <a href="<page docs/signing-keys>">this
214 214
       page</a>.)</li>
215 215
       <li>Verify the sha256sums.txt file by executing this command:
216 216
       <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
217
-      <li>You should see a message like "Good signature from &lt;DEVELOPER 
217
+      <li>You should see a message like "Good signature from &lt;DEVELOPER
218 218
       NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
219
-      <li>Now you can take the sha256sum of the Tor Browser package. On 
219
+      <li>Now you can take the sha256sum of the Tor Browser package. On
220 220
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
221 221
       hashdeep utility</a> and run
222 222
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
... ...
@@ -225,17 +225,39 @@
225 225
       <li>Open sha256sums.txt in a text editor.</li>
226 226
       <li>Locate the name of the Tor Browser file you downloaded.</li>
227 227
       <li>Compare the string of letters and numbers to the left of your
228
-      filename with the string of letters and numbers that appeared 
229
-      on your command line. If they match, you've successfully verified the 
230
-      build.</li> 
228
+      filename with the string of letters and numbers that appeared
229
+      on your command line. If they match, you've successfully verified the
230
+      build.</li>
231 231
     </ul>
232
-    
233
-    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> 
234
-    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> 
235
-    these steps have been written, but to use them you will need to modify 
232
+
233
+    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a>
234
+    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
235
+    these steps have been written, but to use them you will need to modify
236 236
     them yourself with the latest Tor Browser filename.</p>
237
-    
237
+
238
+    <hr>
239
+
240
+    <a id="MARVerification"></a>
241
+    <h3><a class="anchor" href="#MARVerification">
242
+    Verifying MAR files we ship (advanced)</a></h3>
238 243
     <hr>
244
+    <p>Starting with Tor Browser 4.5a4 we sign our MAR files which helps
245
+    securing our update process. The downside of this is the need for additional
246
+    instructions to verify that the MAR files we ship are indeed the ones we
247
+    produced with our Gitian setup.</p>
248
+
249
+    <p>Assuming the verification happens on a Linux computer one first needs the
250
+    <tt>mar-tools-linux*.zip</tt> out of the <tt>gitian-builder/inputs</tt>
251
+    directory to remove the embedded signature(s). The steps to get the unsigned
252
+    MAR file on a 64 bit Linux are</p>
253
+    <pre>
254
+    cd /path/to/MAR/file
255
+    unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
256
+    mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
257
+    <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
258
+    with the one provided in the <tt>sha265sums.txt</tt> or
259
+    <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying
260
+    sha256sums (advancded)</a> above.</p>
239 261
 
240 262
   </div>
241 263
   <!-- END MAINCOL -->
Browse code

Remove some whitespace at eol

Sebastian Hahn authored on20/12/2014 16:28:13
Showing1 changed files
... ...
@@ -188,13 +188,13 @@
188 188
     <hr>
189 189
     <p>Build reproducibility is a <a 
190 190
        href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security 
191
-       property</a> of Tor Browser 3.0 and later. Anyone can build 
192
-       Tor Browser on their own machine and produce a binary that is 
193
-       bit-for-bit identical to the binary we offer on the download page. 
194
-       Fortunately, it is not necessary for everyone to build the Tor Browser 
195
-       locally to get this security. Verifying and comparing the signed list 
196
-       of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a> 
197
-       will confirm that multiple people have built Tor Browsers 
191
+       property</a> of Tor Browser 3.0 and later. Anyone can build
192
+       Tor Browser on their own machine and produce a binary that is
193
+       bit-for-bit identical to the binary we offer on the download page.
194
+       Fortunately, it is not necessary for everyone to build the Tor Browser
195
+       locally to get this security. Verifying and comparing the signed list
196
+       of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a>
197
+       will confirm that multiple people have built Tor Browsers
198 198
        identical to the download.</p>
199 199
 
200 200
       <p>The steps below walk through this process:</p>
Browse code

Replaced "the Tor Browser Bundle" in active docs.

Matt Pagan authored on20/12/2014 16:05:28
Showing1 changed files
... ...
@@ -67,7 +67,7 @@
67 67
     you will need to tell Windows the full path to the GnuPG program. If
68 68
     you installed GnuPG with the default values, the path should be
69 69
     something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
70
-    <p>Erinn Clark signs the Tor Browser Bundles. Import her key
70
+    <p>Erinn Clark signs the Tor Browsers. Import her key
71 71
     (0x416F061063FEE659) by starting <i>cmd.exe</i> and typing:</p>
72 72
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
73 73
     <p>After importing the key, you can verify that the fingerprint
... ...
@@ -112,7 +112,7 @@
112 112
     </p>
113 113
 
114 114
     <p>Once it's installed, use GnuPG to import the key that signed
115
-    your package. Erinn Clark signs the Tor Browser Bundles. Import her
115
+    your package. Erinn Clark signs the Tor Browsers. Import her
116 116
     key (0x416F061063FEE659) by starting the terminal (under "Applications")
117 117
     and typing:</p>
118 118
 
... ...
@@ -188,13 +188,13 @@
188 188
     <hr>
189 189
     <p>Build reproducibility is a <a 
190 190
        href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security 
191
-       property</a> of Tor Browser Bundle 3.0 and later. Anyone can build the 
192
-       Tor Browser Bundle on their own machine and produce a binary that is 
191
+       property</a> of Tor Browser 3.0 and later. Anyone can build 
192
+       Tor Browser on their own machine and produce a binary that is 
193 193
        bit-for-bit identical to the binary we offer on the download page. 
194 194
        Fortunately, it is not necessary for everyone to build the Tor Browser 
195 195
        locally to get this security. Verifying and comparing the signed list 
196 196
        of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a> 
197
-       will confirm that multiple people have built Tor Browser Bundles 
197
+       will confirm that multiple people have built Tor Browsers 
198 198
        identical to the download.</p>
199 199
 
200 200
       <p>The steps below walk through this process:</p>
... ...
@@ -233,7 +233,7 @@
233 233
     <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> 
234 234
     to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> 
235 235
     these steps have been written, but to use them you will need to modify 
236
-    them yourself with the latest Tor Browser Bundle filename.</p>
236
+    them yourself with the latest Tor Browser filename.</p>
237 237
     
238 238
     <hr>
239 239
 
Browse code

Swaps .zip with .dmg and .asc with .asc*

The tbb-team switched to a proper OS X package (.dmg) instead of .zip and Safari doesn't save .asc files as .asc files but .asc.txt

Sherief Alaa authored on31/10/2014 13:07:58
Showing1 changed files
... ...
@@ -137,7 +137,7 @@
137 137
     to download the ".asc" file as well. Assuming you downloaded the
138 138
     package and its signature to your Desktop, run:</p>
139 139
 
140
-    <pre>gpg --verify /Users/Alice/TorBrowser-<version-torbrowserbundleosx32>-osx-i386-en-US.zip{.asc,}</pre>
140
+    <pre>gpg --verify /Users/Alice/TorBrowser-<version-torbrowserbundleosx32>-osx-i386-en-US.dmg{.asc*,}</pre>
141 141
 
142 142
     <p>The output should say "Good signature": </p>
143 143
 
Browse code

Clearly distinguish by Tor packages and Tor Browser packages.

Matt Pagan authored on20/06/2014 17:12:56
Showing1 changed files
... ...
@@ -163,16 +163,17 @@
163 163
     <hr>
164 164
 
165 165
     <p>Most Linux distributions come with gpg preinstalled, so users
166
-    who want to verify the Tor Browser Bundle for Linux (or the source
166
+    who want to verify the Tor Browser for Linux (or the source
167 167
     tarball) can just follow along with the instructions above for
168
-    "Mac OS X". Note that sometimes Sebastian Hahn (key 0x140C961B)
169
-    signs the Linux TBB packages.</p>
168
+    "Mac OS X". </p>
170 169
 
171
-    <p>If you're using the <b>Debian</b> packages, you should read the
170
+    <p>If you're using the <b>Debian</b> Tor (not Tor Browser) packages, you 
171
+    should read the
172 172
     instructions on <a href="<page docs/debian>#packages">importing
173 173
     these keys to apt</a>.</p>
174 174
 
175
-    <p>If you're using the <b>RPMs</b>, you can manually verify the
175
+    <p>If you're using the <b>RPMs</b> (for Tor, not Tor Browser), you can 
176
+    manually verify the
176 177
     signatures on the RPM packages by <pre>rpm -K filename.rpm</pre></p>
177 178
 
178 179
     <p>See <a
Browse code

there is no page macro for dist

Andrew Lewman authored on13/05/2014 04:06:06
Showing1 changed files
... ...
@@ -201,9 +201,9 @@
201 201
     <ul>
202 202
       <li>Download the Tor Browser package, the sha256sums.txt file, and the
203 203
       sha256sums signature files. They can all be found in the same directory 
204
-      under <a href="<page dist/torbrowser>">
205
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.5' 
206
-      for TBB 3.5.</li>
204
+      under <a href="https://www.torproject.org/dist/torbrowser/">
205
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.6.1' 
206
+      for TBB 3.6.1.</li>
207 207
       <li>Retrieve the signers' GPG keys. This can be done from the command 
208 208
       line by entering something like 
209 209
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
Browse code

Use the <page> tag, or use it correctly.

Matt Pagan authored on13/05/2014 02:03:48
Showing1 changed files
... ...
@@ -201,7 +201,7 @@
201 201
     <ul>
202 202
       <li>Download the Tor Browser package, the sha256sums.txt file, and the
203 203
       sha256sums signature files. They can all be found in the same directory 
204
-      under <a href="https://www.torproject.org/dist/torbrowser/">
204
+      under <a href="<page dist/torbrowser>">
205 205
       https://www.torproject.org/dist/torbrowser/</a>, for example in '3.5' 
206 206
       for TBB 3.5.</li>
207 207
       <li>Retrieve the signers' GPG keys. This can be done from the command 
... ...
@@ -209,7 +209,7 @@
209 209
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
210 210
       (This will bring you developer Mike Perry's public key. Other 
211 211
       developers' key IDs can be found on
212
-      <a href="https://www.torproject.org/docs/signing-keys.html.en">this 
212
+      <a href="<page docs/signing-keys>">this 
213 213
       page</a>.)</li>
214 214
       <li>Verify the sha256sums.txt file by executing this command:
215 215
       <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
Browse code

Moved verification instructions from the FAQ to verifying-signatures.

Matt Pagan authored on13/05/2014 01:25:52
Showing1 changed files
... ...
@@ -179,6 +179,63 @@
179 179
     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
180 180
     to learn more about GPG.</p>
181 181
 
182
+    <hr>
183
+
184
+    <a id="BuildVerification"></a>
185
+    <h3><a class="anchor" href="#BuildVerification">
186
+    Verifying sha256sums (advanced)</a></h3>
187
+    <hr>
188
+    <p>Build reproducibility is a <a 
189
+       href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security 
190
+       property</a> of Tor Browser Bundle 3.0 and later. Anyone can build the 
191
+       Tor Browser Bundle on their own machine and produce a binary that is 
192
+       bit-for-bit identical to the binary we offer on the download page. 
193
+       Fortunately, it is not necessary for everyone to build the Tor Browser 
194
+       locally to get this security. Verifying and comparing the signed list 
195
+       of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a> 
196
+       will confirm that multiple people have built Tor Browser Bundles 
197
+       identical to the download.</p>
198
+
199
+      <p>The steps below walk through this process:</p>
200
+
201
+    <ul>
202
+      <li>Download the Tor Browser package, the sha256sums.txt file, and the
203
+      sha256sums signature files. They can all be found in the same directory 
204
+      under <a href="https://www.torproject.org/dist/torbrowser/">
205
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.5' 
206
+      for TBB 3.5.</li>
207
+      <li>Retrieve the signers' GPG keys. This can be done from the command 
208
+      line by entering something like 
209
+      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
210
+      (This will bring you developer Mike Perry's public key. Other 
211
+      developers' key IDs can be found on
212
+      <a href="https://www.torproject.org/docs/signing-keys.html.en">this 
213
+      page</a>.)</li>
214
+      <li>Verify the sha256sums.txt file by executing this command:
215
+      <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
216
+      <li>You should see a message like "Good signature from &lt;DEVELOPER 
217
+      NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
218
+      <li>Now you can take the sha256sum of the Tor Browser package. On 
219
+      Windows you can use the <a href="http://md5deep.sourceforge.net/">
220
+      hashdeep utility</a> and run
221
+      <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
222
+      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.zip</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
223
+      <li>You will see a string of letters and numbers.</li>
224
+      <li>Open sha256sums.txt in a text editor.</li>
225
+      <li>Locate the name of the Tor Browser file you downloaded.</li>
226
+      <li>Compare the string of letters and numbers to the left of your
227
+      filename with the string of letters and numbers that appeared 
228
+      on your command line. If they match, you've successfully verified the 
229
+      build.</li> 
230
+    </ul>
231
+    
232
+    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> 
233
+    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> 
234
+    these steps have been written, but to use them you will need to modify 
235
+    them yourself with the latest Tor Browser Bundle filename.</p>
236
+    
237
+    <hr>
238
+
182 239
   </div>
183 240
   <!-- END MAINCOL -->
184 241
   <div id = "sidecol">
Browse code

add the correct >.

Andrew Lewman authored on06/11/2013 18:11:31
Showing1 changed files
... ...
@@ -55,7 +55,7 @@
55 55
     is exactly the one that we intended you to get. For example,
56 56
     tor-browser-2.3.25-13_en-US.exe is accompanied by
57 57
     tor-browser-2.3.25-13_en-US.exe.asc. For a list
58
-    of which developer signs which package, see our <a href="<page docs/signing-keys">signing keys</a> page.</p>
58
+    of which developer signs which package, see our <a href="<page docs/signing-keys>">signing keys</a> page.</p>
59 59
     <h3>Windows</h3>
60 60
     <hr>
61 61
     <p>You need to have GnuPG installed before
Browse code

revert mttp's changes.

Andrew Lewman authored on06/11/2013 18:06:14
Showing1 changed files
... ...
@@ -48,19 +48,19 @@
48 48
 
49 49
     <h3>Where do I get the signatures and the keys that made them?</h3>
50 50
     <hr>
51
-    <p>Each file on <a href="/web/20130929222100/https://www.torproject.org/download/download.html.en">our download
51
+    <p>Each file on <a href="<page download/download>">our download
52 52
     page</a> is accompanied by a file with the same name as the
53 53
     package and the extension ".asc". These .asc files are GPG
54 54
     signatures. They allow you to verify the file you've downloaded
55 55
     is exactly the one that we intended you to get. For example,
56 56
     tor-browser-2.3.25-13_en-US.exe is accompanied by
57 57
     tor-browser-2.3.25-13_en-US.exe.asc. For a list
58
-    of which developer signs which package, see our <a href="/web/20130929222100/https://www.torproject.org/docs/signing-keys.html.en">signing keys</a> page.</p>
58
+    of which developer signs which package, see our <a href="<page docs/signing-keys">signing keys</a> page.</p>
59 59
     <h3>Windows</h3>
60 60
     <hr>
61 61
     <p>You need to have GnuPG installed before
62 62
     you can verify signatures. Download it from <a
63
-    href="/web/20130929222100/http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
63
+    href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
64 64
     <p>Once it's installed, use GnuPG to import the key that signed your
65 65
     package. Since GnuPG for Windows is a command-line tool, you will need
66 66
     to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
Matt Pagan authored on05/11/2013 23:20:17
Showing1 changed files
... ...
@@ -48,43 +48,31 @@
48 48
 
49 49
     <h3>Where do I get the signatures and the keys that made them?</h3>
50 50
     <hr>
51
-
52
-    <p>Each file on <a href="<page download/download>">our download
51
+    <p>Each file on <a href="/web/20130929222100/https://www.torproject.org/download/download.html.en">our download
53 52
     page</a> is accompanied by a file with the same name as the
54 53
     package and the extension ".asc". These .asc files are GPG
55 54
     signatures. They allow you to verify the file you've downloaded
56 55
     is exactly the one that we intended you to get. For example,
57
-    tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by
58
-    tor-browser-<version-torbrowserbundle>_en-US.exe.asc. For a list
59
-    of which developer signs which package, see our <a href="<page
60
-    docs/signing-keys>">signing keys</a> page.</p>
61
-
62
-    <img alt="Download the bundle and the signature" src="../../images/download-tbb-sig.jpg" width="746" height="397">
63
-    
64
-    <br />
56
+    tor-browser-2.3.25-13_en-US.exe is accompanied by
57
+    tor-browser-2.3.25-13_en-US.exe.asc. For a list
58
+    of which developer signs which package, see our <a href="/web/20130929222100/https://www.torproject.org/docs/signing-keys.html.en">signing keys</a> page.</p>
65 59
     <h3>Windows</h3>
66 60
     <hr>
67
-
68 61
     <p>You need to have GnuPG installed before
69 62
     you can verify signatures. Download it from <a
70
-    href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
71
-
63
+    href="/web/20130929222100/http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
72 64
     <p>Once it's installed, use GnuPG to import the key that signed your
73 65
     package. Since GnuPG for Windows is a command-line tool, you will need
74
-    to use <i>cmd.exe</i>.<br></br>
75
-
76
-    <img alt="cmd.exe" src="../../images/cmd.jpg" width="405" height="512">    
77
-    
66
+    to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
67
+    you will need to tell Windows the full path to the GnuPG program. If
68
+    you installed GnuPG with the default values, the path should be
69
+    something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
78 70
     <p>Erinn Clark signs the Tor Browser Bundles. Import her key
79
-    (0x63FEE659) by starting <i>cmd.exe</i> and typing:</p>
80
-
81
-    <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>
82
-
83
-    <p><strong>Note that Windows 8 users may need to type gpg2 rather than gpg.</strong> <br />After importing the key, you can verify that the fingerprint
71
+    (0x416F061063FEE659) by starting <i>cmd.exe</i> and typing:</p>
72
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
73
+    <p>After importing the key, you can verify that the fingerprint
84 74
     is correct:</p>
85
-
86
-    <pre>gpg --fingerprint 0x63FEE659</pre>
87
-
75
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x416F061063FEE659</pre>
88 76
     <p>You should see:</p>
89 77
     <pre>
90 78
     pub   2048R/63FEE659 2003-10-16
... ...
@@ -94,16 +82,11 @@
94 82
     uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
95 83
     sub   2048R/EB399FD7 2003-10-16
96 84
 </pre>
97
-
98 85
     <p>To verify the signature of the package you downloaded, you will need
99 86
     to download the ".asc" file as well. Assuming you downloaded the
100 87
     package and its signature to your Desktop, run:</p>
101
-    
102
-    <pre>cd Desktop</pre>
103
-    <pre>gpg --verify tor-browser-&lt VERSION NUMBER &gt_en-US.exe.asc tor-browser-&lt VERSION NUMBER &gt_en-US.exe</pre>
104
-
88
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe</pre>
105 89
     <p>The output should say "Good signature": </p>
106
-
107 90
     <pre>
108 91
     gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
109 92
     gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
... ...
@@ -113,7 +96,6 @@
113 96
     gpg:          There is no indication that the signature belongs to the owner.
114 97
     Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
115 98
     </pre>
116
-
117 99
     <p>
118 100
     Notice that there is a warning because you haven't assigned a trust
119 101
     index to this person. This means that GnuPG verified that the key made
... ...
@@ -121,8 +103,6 @@
121 103
     to the developer. The best method is to meet the developer in person and
122 104
     exchange key fingerprints.
123 105
     </p>
124
-    <img alt="Verify the signature" src="../../images/verify-bundle.png" width="769" height="454">
125
-    <br />
126 106
     <h3>Mac OS X</h3>
127 107
     <hr>
128 108
 
Matt Pagan authored on03/11/2013 03:45:20
Showing1 changed file